StackRox integrates with Kubernetes to secure clusters of containers by scanning container images during the creation, deployment, and runtime phases. Real-time alerting, dashboards, and standards compliance complete the picture.
The Outlook is Cloudy
There’s no stopping the inexorable rise of cloud computing. From the early days when it simply providing remote storage, it has brought innovation after innovation. Software-as-Service, Platform-as-a-Service, Infrastructure-as-Service, you-name-it-as-a-service. The uptake has been swift and widespread, and the impact on the traditional view of IT infrastructure has been profound.
In particular, the ability to quickly spin up preconfigured and computationally-cheap servers that are used for short tasks and then discarded has disrupted conventional thinking about the need for on-premise server hardware. On-premise hardware servers were replaced by fully-loaded cloud-hosted virtual servers. But the whole premise of remotely hosting a fully-loaded virtual machine that simply replicated the on-premise hardware it replaced is under question.
Platform-as-a-Service providers deliver OS-level virtualization. This permits containers that incorporate the software, dependencies, and configuration files required for them to be created and spun-up, auto-configured, and populated with the appropriate packages. The DevOps world talks of “cattle not pets” as a way to distinguish between the short-term commodity model of servers as containers, versus the high-maintenance, long-term investment in traditional fully-loaded servers.
Because a container-based infrastructure can scale rapidly and shrink again as demand requires, and because containers can communicate through well-defined channels, the IT estate of many organizations has become incredibly dynamic.
In particular, DevOps has embraced the cloud and containers and thrived because of it. Since DevOps was first promoted at DevOpsDay in Belgium in 2009, it has brought about a revolution in the philosophy and practices behind software development and systems administration and operations. The speed, quality, and collaborative benefits of DevOps are achieved by automating as many processes as possible. Automating code testing, workflows, and deployment is dependent on automated infrastructure. And that means containers. Lots of them.
With so many containers sitting on the critical path between coding and runtime it cries out for a management tool to monitor, control, and administer those containers. Kubernetes is just such a system. It is a container orchestration system that automates the deployment, management, scaling, and networking of containers.
That all sounds great. Now how do we make it secure?
Security for Containers and Kubernetes
As the popularity and adoption of containerization continue to grow, the need for a dedicated security system becomes more evident. Containerization makes the cloud look like a swarm of interconnected, yet independent, mini-clouds that are being created and retired on-demand, automatically.
Retro-fitting conventional security measures onto that type of environment will not give you complete cover, nor visibility into what’s happening inside your dynamic fleet of containers. Plainly, this requires a security tool designed to satisfy the unique requirements of this type of infrastructure.
StackRox is an example of this type of defensive system. Cleverly, it leverages the capabilities and core purposes of Kubernetes instead of trying to interface with the containerized environment itself. That makes StackRox agnostic as far as container technology is concerned. Kubernetes groups containers into logical units to simplify their administration, monitoring, and management. There’s no point in re-inventing the wheel, so StackRox leaves all that to Kubernetes. StackRox talks to Kubernetes, and Kubernetes talks to the containers.
StackRox lets you monitor your Kubernetes installation for attacks or threats and visually review the state of your container estate. It installs itself as a collection of lightweight services. These interwork with Kubernetes to access all the information that Kubernetes retrieves regarding the containers. Because Kubernetes has a detailed understanding of the containers during each of the building, deployment, and in-service phases, StackRox does too.
The StackRox Model
StackRox uses collections of rules and requirements called policies. It comes with a set of 66 best practice security policies. Each of these policies is a set of rules defining security or compliance requirements or restrictions. You can create your own policies to suit any special cases you may have.
StackRox is smart. For example, it can suggest the policies that you should enable according to the activities you’re involved in, or the type of containers you are configuring. Because StackRox is integrated right into Kubernetes, the Kubernetes scripts and the StackRox configurations can all be treated as code, and version controlled. It means all of your staff work from a single source of truth.
StackRox scans your Kubernetes estate for vulnerabilities with instant alerting to the nominated team members, as well as image scanning of the containers themselves. This happens from a container’s build phase through to its runtime. Non-compliant images found in the build phase are rejected, and the DevOps team is alerted through their continuous integration system or another preferred route.
In the deployment phase, security mechanisms can adjust permissions so that containers with vulnerabilities do not reach the runtime phase. Perhaps a container does not need internet access but that permission has been granted in error. That container should be restricted and a message send to the DevOps team so that they can adjust the container.
StackRox prioritizes the vulnerabilities it finds according to the level of risk and the severity of the vulnerability. This allows the corrective and remedial work to be prioritized. StackRox allows you to automate much of the remediation.
StackRox also takes into account the organization’s appetite for risk, as detailed in the security policies. Even when the container deployments are running, the scanning continues.
A Tough Nut Cracked
Security monitoring, scanning, and alerting systems often fail in cloud environments—especially fast-paced and dynamic environments that DevOps require. StackRox provides a preemptive strike by scanning the build and deployment phases of your containers, as well as the running instances. With suitable automation, it can address most vulnerabilities before the containers are deployed.
StackRox enhances the reporting in Kubernetes to provide visibility to vulnerabilities across all your running containers. StackRox delivers timely alerts and automatic incident response. It provides similar functionality for compliance requirements, with automated and on-demand validation checks to ensure regulatory directives are met and data is protected, with out-of-the-box support for CIS, NIST, PCI, HIPAA, and more.
A collection of dynamic container clusters is a serious challenge to make secure. StackRox does all the heavy lifting for you by scanning container images from creation to deployment and detecting runtime attacks using its policies of rules and restrictions, behavioral analysis, and vulnerability database.
StackRox has features that facilitate everything from auditing access to customer environments to giving you what you need to easily complete vendor security assessments. If you’re wrestling with the security concerns and compliance difficulties coming from your container estate, put StackRox on your shortlist of tools to consider.